Information Sheet. PCI DSS Overview

Transcription

1

2 The payment card industry (PCI) protects cardholder data through technical and operations standard set by its Council. Compliance with PCI standards is mandatory. It is enforced by the major payment card brands that established the Council American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The standards have three components that cover all organisations which must protect cardholder data from device manufacturers to developers of payment software applications (and their vendors) and merchant and processors. Requirements for Merchants and Processors If your business accepts or processes payment cards, it must comply with the third component of the PCI standards PCI Data Security Standard (PCI DSS). The standard in fact governs all merchants and organisations that store, process and transmit cardholder payment data. It covers system elements included in or connected to cardholder data. The PCI DSS is designed to help you protect customer account data and is comprehensive: it includes requirements for security management, policies, network architecture, software design and other critical protective measures. It is important to note that no call recording systems can be regarded as being PCI DSS-compliant: it is the environment in which they are used that may be said to be compliant, as concluded by a security assessor. This is because the PCI DSS is subject to interpretation. Page 2 of 6

3 Summary of PCI Standard Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information The full standard is at recommend you review these standards independently. We Red Box Recorders and PCI DSS Red Box recording solutions fall under the PCI DSS. Meeting the requirements of PCI DSS is made simple as our solutions are designed with the highest levels of resilience and compliance in mind. Requirements 3, 4, 7, 8 and 9 below specifically relate to applications such as call recording. Our solutions address these requirements thus: Red Box Recorders can provide an API for system integrators to develop an application to enable users to stop and start recording during a transaction. This prevents credit card and other personal data from being recorded via voice and/or screen. Your contact centre can therefore avoid the capture and storage of audio containing card validation codes, PINs or PAN numbers (requirements 3 and 9). Red Box solutions temporarily cache recorded content in a proprietary format with read and write permissions disabled for all users. These files are compressed and encrypted before being transported over the network and stored on the NAS device. Where the transport of files includes any open public networks, Page 3 of 6

4 we recommend you use a VPN for additional security. This prevents users accessing stored files or intercepting files while being transferred over the network (requirements 3 and 4). Our solutions provide role-based access and user privileges. For example, you may block users from accessing certain recordings that include cardholder data. Users must be configured and licensed by an administrator before being able to access the system. The default configuration is no access (requirement 7). We enable the strong access control requirements of PCI by using Microsoft s Active Directory Services for user authentication. Active Directory configuration options meet specific requirements for user ID assignment, first-time passwords, user termination, time-limited accounts, password strength, time limits and lockouts. In addition, our desktop application enforces configurable session timeout limits and reauthentication once a user exceeds the inactivity time limit (requirement 8). PCI Compliance with No Card Data Storage An optional application to assist call centres in complying with PCI DSS is to stop and re-start the call recording for the duration that payment details are being taken over the phone. This can be achieved either through CTI integration or by giving the agent control of the recording. This type of solution addresses the immediate issue of call recording systems capturing card details during call but it still leaves the potential issue of call handlers hearing the sensitive data which can be deemed as a potential leakage point for security breaches. To prevent a potential security breach, call centres may consider the option of clean call rooms and paperless offices on top of the investment required in the underlying call recording solution. For any organisation that needs to keep a full audit trail of any interaction with customers, the option of stopping and re- starting the call after card payment details have been given is not a feasible option as the call recording becomes segmented and is no longer an end to end call record of the customer transaction. FSA regulated organisations in particular would need to be attentive to keeping the call recording complete. Red Box Recorders can provide an additional application for total card security of telephone payments. The application enables customers to enter their card data via DTMF tones which keeps card data hidden from the agent whilst bypasses the call recorder. This not only means that card data does not get recorded, but it also ensures that the call recording remains uninterrupted, therefore capturing every part of the customer transaction. Page 4 of 6

5 In this scenario no card data at all is stored by the Red Box system and the risk of any fraudulent activity significantly reduced. Call Centre Specific Response from PCI Security Standards Council When must audio recordings containing cardholder data and/or sensitive authentication data be protected or stored? This response is for call centres that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID by the payment brands). It is intended to provide clarification for call centres regarding potential storage of card validation codes and values, and their compliance with the PCI DSS. (Adapted from PCI SSC website) 1. It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after transaction authorisation. 2. Call centres may receive cardholder data that includes sensitive authentication data and be unable to delete this sensitive data since individual elements cannot easily be deleted from an audio recording. 3. These call centers and all cardholder data are in scope for PCI DSS. However, if the storage of card validation codes and values meets the unique circumstances described in this response AND these values are protected according to all applicable PCI DSS requirements, those card validation codes and values may be stored. If you use commercially reasonable technology to delete these data elements, then these elements should be deleted. 4. If the individual data elements within an audio file can never be queried, only the physical and logical protections defined in PCI DSS version 1.1 must be applied to these audio files. 5. Additionally, if these audio files that can never be queried are copied to magnetic tape media, that media must also be protected in accordance with PCI DSS. 6. However, if card validation codes and values stored on audio files are subject to technology that allows for the capture and transposition of the speech/audio data into a format that can be queried (for example, digital or other file formats), the sensitive authentication data, including card validation codes and values, must not be stored and must be deleted immediately after authorisation. 7. All other cardholder data captured by call centres must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4. All other entities must protect cardholder data in accordance with PCI DSS, including requirements 3.2 and 3.4. Page 5 of 6

6 Red Box Recommendations to Address PCI DSS Address PCI requirements 1, 2, 6, 7, 8 and 10 through your network infrastructure environment; the network team or system integrator should incorporate the required features during deployment. The IT/network team or your system integrator should address requirements 5, 6, 11 and 12 Discuss the opportunity with your Red Box representative to evaluate the option of no card data storage through the use of an additional application that allows customers a secure mode for entry of card payment details which bypass both the call recorder and the agent handling the call. Red Box will work closely with your networks team, system integrators, QSAs and internal audit teams to ensure that we implement a call recording solution to enable customers to conform to PCI requirements. Page 6 of 6

White Paper On PCI DSS Compliance And Voice Recording Implications PCI DSS within the UK is becoming a hot topic of conversation, with many contradictions and confusions being issued by suppliers and professionals

CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new

PCI Compliance and the Data Security Standards Introduction The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of

What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

PCI-DSS: Payment Card Industry Data Security Standard Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That

Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

CONTENTS OF THIS WHITE PAPER Overview... 1 Background... 1 Who Needs To Comply... 1 What Is Considered Sensitive Data... 2 What Are the Costs/Risks of Non-Compliance... 2 How Varonis Helps With PCI Compliance...

Payment Card Industry Data Security Standard PCI DSS What is PCI DSS? Requirements developed by the five card brands: VISA, Mastercard, AMEX, JCB and Discover. Their aim was to put together a common set

Safe and Sound Processing Telephone Payments Securely A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015 Executive summary The following information and guidance

What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management

Processing telephone payments securely The following is a guide for Contact Centre Managers, IT Directors and Compliance Managers of businesses that trade over the telephone. It emphasises the key areas

PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks

BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy